McAfee was the first security firm to publicize the issue, followed by FireEye.

Rather than this being a pure software vulnerability, McAfee characterizes the flaw as a "logical" bug that allows a malicious Word document to skirt around security protections built into Windows.

These types of exploits can be especially effective when used in combination with so-called spear-phishing attempts. Spear phishing involves carefully crafting emails with malicious attachments that appear to be legitimate in order to trick a victim into running the exploit code and inadvertently infecting their own computer.

Microsoft has been prepping a fix for this zero-day flaw.

"We plan to address this through an update on Tuesday, April 11, and customers who have updates enabled will be protected automatically," a spokesman tells Information Security Media Group. "Meanwhile, we encourage customers to practice safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue."

Logical Bug

McAfee picked up on the attacks April 6, saying it immediately alerted Microsoft to the flaw, and notes that the campaign appears to have begun in late January. The related exploit is effective against all versions of Microsoft Office on Windows, writes Haifei Li, a senior vulnerability researcher with McAfee, in a blog post.

Related attacks begin with a malicious Word document. The document contains an OLE2link, which is short for object linking and embedding, a feature that allows external content to be loaded into a document.

If the document is opened, Word issues an HTTP request that retrieves a malicious .hta file, which is a HTML application, writes Genwei Jiang, a senior research engineer with FireEye.

A malicious Visual Basic script is then loaded. It closes the rigged document and then shows a bogus one. Meanwhile, the script downloads other payloads. Although the OLE2link displays a user prompt, the winword.exe process terminates it so the user doesn't see it.

The attack neatly routes around some of Microsoft's security protections, although FireEye says its systems can detect the malicious documents.

"Because .hta is executable, the attacker gains full code execution on the victim's machine," writes Li of McAfee. "Thus, this is a logical bug and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft."

Jumping the Gun?

McAfee may have jumped the gun on disclosure. But it's not unheard of for bugs to be disclosed before there's a patch, if the entity that found the flaw thinks that active attacks, utilizing the flaw, are already putting users at great risk.

Confirmation of extensive, related attacks arrived April 10 via a blog post from security firm Proofpoint, which said that the notorious Dridex botnet has been targeting the vulnerability via millions of spam emails that primarily target Australia.

FireEye says it has known of the problem and has been working with Microsoft for several weeks. After seeing McAfee's post, FireEye followed up with a blog of its own. "After recent public disclosure by another company, this blog serves to acknowledge FireEye's awareness and coverage of these attacks," Jiang writes.

But the flaw appears to have been first reported to Microsoft in October 2016 by Ryan Hanson, a security consultant at Optiv, an IT service management firm based in Denver, in October. He warns that the underlying flaw may not exist only in Microsoft Office.

@jessysaurusrex patch is coming tomorrow. I know this because I disclosed it in October. I've also shared a temporary fix for it as well

Until Microsoft issues a fix, there is a workaround, McAfee says. Microsoft's Protected View will at least flash a prompt, warning users if potentially suspicious files are being downloaded from the internet. System administrators can configure Protected View so users can't disable it, which is a good idea.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.